PSA for DropBox ppl: apparently accts hacked (change your passwd!) Update: DB denies?

Discussion in 'iPhone' started by Hal~9000, Oct 13, 2014.

  1. Hal~9000, Oct 13, 2014
    Last edited: Oct 13, 2014

    Hal~9000 macrumors 68000

    Hal~9000

    Joined:
    Sep 13, 2014
    #1
    Update: thanks rocknblogger
    http://www.cultofmac.com/299528/millions-dropbox-accounts-allegedly-compromised-massive-hack/
    Original Post:
    http://www.cultofmac.com/299528/millions-dropbox-accounts-allegedly-compromised-massive-hack/
    **** like this makes me want to go off the grid completely :mad:
     
  2. terraphantm macrumors 68040

    Joined:
    Jun 27, 2009
    Location:
    Pennsylvania
    #2
    And this is why I'm still not sold on the whole cloud idea. Now I've got to go change my passwords
     
  3. Hal~9000 thread starter macrumors 68000

    Hal~9000

    Joined:
    Sep 13, 2014
    #3
    I agree. Why should I store my stuff online versus a hard/flash drive again? So hacker groups have an bigger fish (i.e. huge company with a lot of user sensitive information) to target and find a potential weakness? Already changed my password but man stuff like this pisses me off :mad:

    Passwords and emails in plain text? Really Dropbox? :rolleyes:

    Of course this doesn't mean all the other cloud companies out there aren't already being hacked as well :adjusts tinfoil hat:

    p.s. my apologies dropbox if this report is false
     
  4. Supermallet macrumors 65816

    Supermallet

    Joined:
    Sep 19, 2014
    #4
    Always always always enable two-step verification if a service or website offers it. It can be a bit of a pain but it's worth it for the security.

    Also I recommend using a password manager (I use LastPass) to generate randomized passwords unique to each site and service, and then enable two-step verification on your password manager.
     
  5. terraphantm macrumors 68040

    Joined:
    Jun 27, 2009
    Location:
    Pennsylvania
    #5
    Remembering a randomized password isn't easy. Pass phrases would be better really, but many sites have a limit to the number of characters
     
  6. Altimax98 macrumors 6502

    Altimax98

    Joined:
    Mar 26, 2012
    Location:
    Lakeland Fl
    #6
    I utilize 2 step on every service that offers it. If they do not offer it they get a burner (but strong) password and it's for random crap.
     
  7. Supermallet macrumors 65816

    Supermallet

    Joined:
    Sep 19, 2014
    #7
    That's the other part of the password manager, to autofill all those randomized passwords that it generated. It's even better with iOS 8 because now you can autofill just by using TouchID.

    Look into LastPass or PasswordBox or 1Password, services like those. They all have slightly different features and pay models but they're better than coming up with passwords on your own. I personally use LastPass and have two-step authentication setup on it. I use an authenticator program that I keep on a USB to log in on computers so even if someone got my LastPass master password, they'd have to also steal the USB drive I use, find the app, and generate a one-time use code with it in order to access my data. Any attempts to access my passwords without the app will result in garbled, useless data since all of my passwords are encrypted. Same if someone tried to hack LastPass' servers.
     
  8. IrishVixen macrumors 68020

    IrishVixen

    Joined:
    Jun 20, 2010
    #8
    Oh FFS. Dealing with this crap is getting old.

    And two step authentication doesn't fix stupidity on the corporate end. Plain text?!?! Seriously?!
     
  9. alphaod macrumors Core

    alphaod

    Joined:
    Feb 9, 2008
    Location:
    NYC
    #9
    I already have two-step, so I guess I'm sort of safe.
     
  10. rocknblogger macrumors 68020

    rocknblogger

    Joined:
    Apr 2, 2011
    Location:
    New Jersey
    #10
  11. Supermallet macrumors 65816

    Supermallet

    Joined:
    Sep 19, 2014
    #11
    Two-step doesn't fix stupidity on the corporate end, but it does mitigate it.

    Let's say my password, although randomized, is on that list. Someone takes that list and uses my login and password.

    Dropbox then asks it to authenticate using a code from the authenticator app on my phone (and by the way, I recommend Toopher over Google Authenticator). The person who has the list doesn't have my phone, so they won't be able to access any content on my Dropbox. And if they ask Dropbox to send a text instead, the text goes to my phone and I know I need to change my password since I'm not currently trying to sign in to Dropbox.

    The only way this becomes a problem is if A) the person with the list also stole or spoofed my phone (and managed to fake my TouchID or get my phone phrase password--not a PIN) or B) I use the same login and password on other sites without two-factor authentication.

    That's where a good password manager comes in. You can ensure that every site has a unique password that can easily be changed to something equally complex very quickly. I changed my Dropbox password within two minutes of making my first post in this thread. It's randomized and now my password manager has that one on file instead of my previous password.

    This stuff takes a little time to setup, but once you do, it runs very smoothly. At least the way I implement it.
     
  12. Traverse macrumors 603

    Traverse

    Joined:
    Mar 11, 2013
    Location:
    Here
    #12
    I haven't used DB in a year, but I changed mine anyway and enabled 2FA.
     
  13. waxlabo macrumors regular

    Joined:
    Sep 21, 2014
    #13
    From the look of the password list it doesn't really seem like there was any breach in dropbox database. A lot of these passwords seem easy and any password generator bot would be able to figure it out.
     
  14. urda Suspended

    urda

    Joined:
    Jun 15, 2010
    Location:
    San Francisco Bay Area
    #14
    If you're not using a password manager to generate UNIQUE passwords for EVERY WEBSITE and you're not using two-factor, you have yourself to blame.

    It's 2014, you should be using something like 1Password LastPass.
     

Share This Page